b'   May 23, 2002\n\n\n\n\nInformation\nSystem Security\nGovernment Information Security\nReform Act Implementation:\nNoncombatant Evacuation\nOperations Tracking System\n(D-2002-093)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General\n  of the Department of Defense Home Page at www.dodig.osd.mil/audit/reports\n  or contact the Secondary Reports Distribution Unit of the Audit Followup\n  and Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or\n  fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup\n  and Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                        Communications, and Intelligence)\nDITSCAP               DoD Information Technology Security Certification and\n                        Accreditation Process\nDMDC                  Defense Manpower Data Center\nGISR                  Government Information Security Reform\nNTS                   Noncombatant Evacuation Operations Tracking System\nSSAA                  System Security Authorization Agreement\n\x0c\x0c        Office of the Inspector General of the Department of Defense\nReport No. D-2002-093                                                    May 23, 2002\n  (Project No. D2002LD-0069)\n\n    Government Information Security Reform Act Implementation:\n       Noncombatant Evacuation Operations Tracking System\n\n                               Executive Summary\n\nIntroduction. Public Law 106-398, \xe2\x80\x9cGovernment Information Security Reform,\xe2\x80\x9d\ntitle X, subtitle G of the Floyd D. Spence National Defense Authorization Act for\nFY 2001, October 30, 2000, requires that each agency obtain an independent\nassessment of its security posture. The Inspector General of each agency is required to\nevaluate the agency\xe2\x80\x99s security posture based on a review of an independently selected\nsubset of information systems.\n\nThe DoD uses information technology for thousands of processes that are integral to\nsupport and operational functions. Mission-critical, mission-essential, and\nsupport-function processes, or applications, reside on computer systems throughout DoD.\n\nDoD selected a sample of 560 automated information systems from the almost\n4,000 automated information systems in DoD. For those 560 systems, DoD developed a\nGovernment Information Security Reform Act collection matrix that was used to gather\ndata on assessments of the effectiveness of DoD information assurance policies,\nprocedures, and practices. DoD reported the aggregate results of the assessments for\nFY 2001 in \xe2\x80\x9cGISR Report FY01: Government Information Security Reform Act,\nReport of the Department of Defense,\xe2\x80\x9d October 2001. Of the 560 systems, the Office of\nthe Inspector General of the Department of Defense; the Defense Information Systems\nAgency Inspector General; and Military Department Audit Agencies assessed a sample\nof 115 systems. This report is one in a series of Government Information Security\nReform Act audits and is an assessment of the Noncombatant Evacuation Operations\nTracking System.\n\nResults. In our assessment of the Noncombatant Evacuation Operations Tracking\nSystem, the Defense Manpower Data Center implementation of the Government\nInformation Security Reform Act requirements, as reported in the Government\nInformation Security Reform Act collection matrix for FY 2001, was generally accurate\nas of August 1, 2001, the date of the FY 2001 collection matrix data. Although 6 of\nthe 32 responses provided in the collection matrix were technically inaccurate because\nthe supporting documents were in draft form, we concluded that the Defense Manpower\nData Center was making progress toward achieving full information security\naccreditation for the Noncombatant Evacuation Operations Tracking System by\nAugust 2002, the target date for completion of the FY 2002 collection matrix. For\ndetails on the audit results, see the Finding section.\n\nManagement Comments. We provided a draft of this report on May 3, 2002.\nBecause this report contained no recommendations, written comments were not\nrequired, and none was received. Therefore, we are publishing this report in final\nform.\n\x0cTable of Contents\n\nExecutive Summary                                                       i\n\nIntroduction\n     Background                                                        1\n     Objectives                                                        3\n\nFinding\n     Noncombatant Evacuation Operations Tracking System\n       Information Security                                            4\n\nAppendixes\n     A. Audit Process\n         Scope                                                         13\n         Methodology                                                   13\n         Prior Coverage                                                14\n     B. Government Information Security Reform Act Collection Matrix\n          Submission                                                   15\n     C. Report Distribution                                            22\n\x0cBackground\n    Government Information Security Reform. On October 30, 2000, the\n    President signed the Floyd D. Spence National Defense Authorization Act for\n    FY 2001 (Public Law 106-398), which includes title X, subtitle G, the\n    \xe2\x80\x9cGovernment Information Security Reform\xe2\x80\x9d (GISR) Act. Subtitle G directs that\n    the Government ensure effective controls for highly networked Federal\n    information resources; management and oversight of information security risks;\n    and a mechanism for reporting improved information system security oversight\n    and assurance for Federal information security programs. The GISR Act directs\n    each Federal agency (DoD for purposes of this report) to annually evaluate its\n    information security program and practices and, as part of the budget process,\n    submit the results of the evaluation to the Office of Management and Budget.\n    The GISR Act covers both unclassified and national information security\n    systems and creates a comparable security management framework for each.\n    The GISR Act also requires that the agency Inspector General or other\n    independent agent evaluate the agency information security program and\n    practices. Also, the GISR Act requires each agency Inspector General or other\n    independent agency to select and test a subset of systems that will confirm the\n    effectiveness of the information security programs.\n\n    DoD Responsibilities. The GISR Act directs DoD to annually evaluate its\n    information security program and practices. The DoD uses information\n    technology for thousands of processes that are integral to support and\n    operational functions. Mission-critical, mission-essential, and support-function\n    processes, or applications, reside on computer systems throughout DoD.\n    Applications for the DoD Components include financial accounting; personnel;\n    pay and disbursement; materiel shipping, receiving, and storing; munitions\n    maintenance; and weapon systems-associated applications.\n\n    The GISR Act directs that DoD as part of the budget process submit the results\n    of their annual evaluation to the Office of Management and Budget. Office of\n    Management and Budget guidance, memorandum 01-24, \xe2\x80\x9cReporting on the\n    Government Information Security Reform Act,\xe2\x80\x9d June 22, 2001, directs the\n    Secretary of Defense to transmit the FY 2001 annual evaluation of information\n    security program and practices to the Office of Management and Budget by\n    October 1, 2001. The Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) [ASD(C3I)] formed and chaired an Integrated\n    Process Team to develop and finalize the guidance and methodology for DoD\n    reporting of the GISR Act. The Integrated Process Team developed a 32-column\n    spreadsheet--GISR Act collection matrix--to gather data on assessments of the\n    effectiveness of DoD information assurance policies, procedures, and practices.\n    DoD required the FY 2001 GISR Act collection matrix data completion as of\n    August 1, 2001.\n\n    Inspector General Responsibilities. Office of Management and Budget issued\n    memorandum 01-08, \xe2\x80\x9cGuidance on Implementing the Government Information\n    Security Reform Act,\xe2\x80\x9d in January 2001 to provide implementation instructions\n    for Federal agencies in carrying out the GISR Act. Guidance specific to the\n    duties of each Inspector General as an independent evaluator was also included\n    in that memorandum. The Office of Management and Budget guidance states\n\n                                        1\n\x0c            that each Inspector General or independent evaluator \xe2\x80\x9cshould perform an annual\n            evaluation of the agency\xe2\x80\x99s security program and practices. This testing includes\n            testing the effectiveness of security controls for an appropriate subset of agency\n            systems.\xe2\x80\x9d Although the GISR Act applies to all Government information\n            systems, Office of Management and Budget acknowledged that agencies could\n            not review all of those systems every year. As a result, the independent\n            evaluation should identify and assess a logical representative sampling of\n            systems that can be used to form the basis of a conclusion regarding the\n            effectiveness of an agency\xe2\x80\x99s overall security program.\n\n            DoD Systems. The Office of the Inspector General of the Department of\n            Defense developed a stratified random sample from the population of\n            automated information systems the DoD evaluated and reported for FY 2001 in\n            the \xe2\x80\x9cGISR Report FY01: Government Information Security Reform Act,\n            Report of the Department of Defense,\xe2\x80\x9d October 2001 (DoD GISR Act Report).\n            DoD selected and reported in the DoD GISR Act Report on a sample of\n            560 automated information systems from the almost 4,000 systems listed in the\n            DoD Information Technology Registry.1 The Office of the Inspector General\n            of the Department of Defense stratified random sample included 115 systems\n            from the universe of 560 systems that were reported on in the DoD GISR Act\n            Report. The audit agencies for the Military Departments and the Defense\n            Information Systems Agency, Inspector General will evaluate 91 of the\n            information systems included in the sample 115 by August 2, 2002. The Office\n            of the Inspector General of the Department of Defense will evaluate the\n            remaining 24 systems that support DoD agencies and activities. This report\n            discusses the evaluation of 1 of the 24 DoD-level systems, the Noncombatant\n            Evacuation Operations Tracking System (NTS).\n\n            DoD Information Security Program. DoD Instruction 5200.40, \xe2\x80\x9cDoD\n            Information Technology Security Certification and Accreditation Process,\n            (DITSCAP),\xe2\x80\x9d December 30, 1997, provides the procedures for certification and\n            accreditation of information technology to include information systems,\n            networks, and sites in DoD. It also assigns responsibilities for oversight and\n            implementation of the certification and accreditation process. DITSCAP is to be\n            used as guidance throughout the certification and accreditation process. DoD\n            Manual 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology Security\n            Certification and Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d\n            July 2000, provides implementation guidance that standardizes the certification\n            and accreditation process throughout DoD.\n\n\n\n1\n    The Information Technology Registry was established in response to requirements contained in\n    section 8102(a) of the National Defense Appropriation Act for FY 2001 and section 811(a) of the\n    National Defense Authorization Act for FY 2001. The DoD registry must contain all of the fielded\n    mission critical and mission essential systems as well as all the mission critical and mission essential\n    systems that are in development.\n\n\n\n\n                                                         2\n\x0cObjectives\n     Our overall audit objective was to assess NTS for implementation of the GISR\n     requirements of the Floyd D. Spence National Defense Authorization Act for\n     FY 2001. See Appendix A for a discussion of the audit scope and methodology.\n\n\n\n\n                                       3\n\x0c                    Noncombatant Evacuation Operations\n                    Tracking System Information Security\n                    Data reported for NTS in support of the implementation of the GISR Act\n                    requirements for FY 2001 were generally accurate as of August 1, 2001.\n                    Of the 32 responses provided on the matrix, 6 were technically inaccurate\n                    because the supporting documents were in draft form. However, the\n                    Defense Manpower Data Center (DMDC)2 was following DITSCAP to\n                    certify and accredit NTS. As a result, DMDC is making progress in\n                    achieving full information security accreditation for NTS by August 2002.\n\nSystem Background\n            NTS is a mission essential3 system developed to support noncombatant evacuation\n            operations. Noncombatant evacuation operations are conducted during times of\n            endangerment or as part of a military exercise to evacuate civilian noncombatants\n            and nonessential military personnel from foreign or host nations. The purpose of\n            the NTS is to provide individual accountability for noncombatant evacuees by\n            creating and maintaining an automated database of evacuees assembled during an\n            evacuation operation. NTS was initially developed in October 1998 for\n            U.S. Forces Korea. Since that time, NTS has been deployed to the European\n            (June 2000) and Pacific (February 2001) theaters of military operations.\n\n            Hardware Configuration. NTS is a set of commercial-off-the-shelf laptop\n            computer workstations, scanners, miniservers, and main database server.\n            Under normal operation, NTS is a stand-alone system (not required to be\n            connected to a computer network to operate) that is not employed until\n            evacuations or military exercises are conducted. When NTS is employed, the\n            system is activated and a database is created.\n\n            System Operations. During an evacuation, evacuees report to an evacuation\n            control center where information about the individual is gathered and entered in\n            the system at an NTS registration workstation. The registration workstation\n            (laptop computer) is capable of reading and processing a variety of scanned\n            identification documents, including passports and DoD identification cards.\n            Each individual is assigned a unique NTS tracking number that is linked to the\n            individual\xe2\x80\x99s identification document. The tracking number is located on an\n            identification bracelet similar to those hospitals use and must be worn by the\n            evacuees. The data from the laptops used in the registration are saved to an\n            evacuation control center miniserver by way of a wireless modem. Registered\n            evacuees may include service members, DoD and non-DoD civilian employees;\n            U.S. residents abroad, foreign nationals, corporate employees; and any\n            dependents and pets.\n\n2\n    DMDC is the program office for NTS and is responsible for the continued development and maintenance\n    of the system. DMDC is a component of the DoD Human Resource Activity.\n3\n    Mission essential systems are those systems that are basic and necessary for the accomplishment of an\n    organization\xe2\x80\x99s mission.\n\n                                                       4\n\x0c    Registration data from the miniservers are stored on a database server at the\n    theater command level. The evacuation database server is a fully dedicated\n    server that is not used for other automated systems. The evacuation database is\n    saved to a DMDC server located at DMDC-West, Monterey, California,\n    through a data extraction that DMDC initiates. DMDC can then post the\n    evacuation database on the Web to provide access to Pentagon decisionmakers\n    and planners. The status of an evacuee at each stage of the evacuation process\n    is updated through scanning of the identification bracelet and can be provided on\n    an official use only basis through a secure Web site. Access to the Web site\n    must be cleared through DMDC.\n\nData Collection Matrix\n    DMDC through the DoD Human Resource Activity provided the response for\n    the NTS to ASD(C3I) as of August 1, 2001, and the data reported were\n    generally accurate. In response to the GISR Act requirement for each Federal\n    agency to annually evaluate and report on its information security program and\n    practices, ASD(C3I) developed a GISR Act data collection matrix (the matrix)\n    for DoD. The Assistant Secretary developed the matrix as a management tool\n    to track information assurance trends and outcomes. The matrix consisted of a\n    spreadsheet divided into four sections for data. Section titles included\n    identifying information, accreditation information, assessment criteria\n    information, and operations and assessment interest items.\n\n    In response to the information in the matrix, DMDC was generally required to\n    answer yes, no, or provide a date for action completed. With the exception of a\n    special section that could be used for augmenting comments, no other\n    explanation was required or expected. A discussion of each section of the\n    matrix and the data that DMDC reported in the matrix for NTS follow, along\n    with our analyses of the reported data for DMDC. Appendix B contains the\n    information for NTS that was reported in the matrix that ASD(C3I) used for the\n    DoD GISR Act Report.\n\n    Identifying Information. DMDC was requested to provide the system/network\n    name, acronym, component owner, and information technology classification\n    (mission critical or mission essential) in the identifying information section of\n    the matrix. DMDC responded in the matrix that NTS was under the component\n    ownership of the DoD Human Resource Activity and was classified as a mission\n    essential information technology system. We verified that the identification\n    information in the matrix was essentially correct as stated in the DoD\n    Information Technology Registry.\n\n    Accreditation Information. DMDC was requested to provide the date of\n    accreditation certification, date of interim certification, the accreditation\n    method, and documentation for certification and accreditation in the\n    accreditation information section of the matrix.\n\n\n\n\n                                         5\n\x0c        Accreditation Date. DMDC was requested to provide the date that an\naccreditation process accredited NTS. DoD Directive 5200.28, \xe2\x80\x9cSecurity\nRequirements for Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988,\nestablishes the minimum security requirements for DoD automated information\nsystems. DITSCAP implements the Directive, assigns responsibility, and\nprescribes procedures for certification and accreditation. DMDC responded in\nthe matrix by leaving the field blank. We verified that the lack of a DMDC\nresponse was appropriate. DMDC did not place a date in the field because NTS\nwas in the process of applying DITSCAP requirements.\n\n        Interim Certification Date. DMDC was requested to provide the date\nthat an interim authority to operate was granted. According to the provisions of\nDITSCAP, interim authority should be based on the establishment of an\nacceptable level of risk in operating the system. DMDC responded in the matrix\nthat an interim authority to operate was granted to NTS on July 27, 2001. We\nverified that an interim authority to operate for 1 year was granted by the NTS\nDesignated Approving Authority, the Director of DMDC, and that DMDC\nplanned to complete the NTS certification and accreditation process prior to the\nexpiration of the interim authority to operate.\n\n        Accreditation Method. DMDC was requested to identify if NTS was\naccredited under DITSCAP. Several policies govern actions of program\nofficials, but DITSCAP is the principal governing document for risk assessment\nand mitigation of DoD information technology systems. DITSCAP establishes\nthe oversight mechanism that ensures identification of appropriate information to\ncertify, accredit, and maintain a program\xe2\x80\x99s security. DMDC responded in the\nmatrix that they were using DITSCAP to certify and accredit the NTS. We\nverified that the NTS was following DITSCAP procedures, but DMDC should\nhave responded \xe2\x80\x9cno\xe2\x80\x9d to the question because as of August 1, 2001, NTS was\nnot accredited.\n\n        Certification and Accreditation Documentation. DMDC was\nrequested to identify if formal documentation existed that the Inspector General\nof the Department of Defense or other entities could use to verify accreditation.\nDITSCAP requires a System Security Authorization Agreement (SSAA) for\neach information technology system. The SSAA is a formal and binding\ndocument among the system program manager, the Designated Approving\nAuthority, the Certifying Authority, and the user representative that establishes\nthe level of security required. The SSAA guides the process and documents the\nresults for certification and accreditation as well as implementation of\ninformation technology security requirements. DMDC responded in the matrix\nthat they had formal documentation in effect for the NTS certification and\naccreditation process. We confirmed that DMDC documented the NTS\ncertification and accreditation process with a draft SSAA. However, as of\nAugust 1, 2001, the SSAA was in draft form and not a formal (signed)\ndocument. Therefore, DMDC should have answered \xe2\x80\x9cno\xe2\x80\x9d in response to\nhaving formal certification and accreditation documentation. DMDC planned to\nfinalize the SSAA by August 2002, when the NTS is accredited.\n\n\n\n\n                                    6\n\x0cAssessment Criteria Information. DMDC was requested to confirm that\ninformation assurance controls and plans in the assessment criteria information\nsection of the matrix existed. According to the instructions provided for the\nmatrix, ASD(C3I) developed the assessment criteria information section to assess\nselected systems on the basic program management, controls, and procedures\nthat exist as part of the operation of the system.\n\n        Access Controls. DMDC was requested to identify if access controls\nwere in place. ASD(C3I) defined access controls as controls that limited access of\ninformation system resources to authorized users, programs, processes, or other\nsystems. DMDC responded in the matrix that access controls were in place. We\nverified that DMDC had access controls in place. Those access controls that NTS\nused included: users were required to identify themselves during system login\nthrough the use of a protected mechanism (such as passwords) to authenticate user\nidentity and user accounts; and access to the authentication security accounts\ndatabase and logon programs were denied to the NTS user.\n\n        Risk Assessment and Management Plan. DMDC was requested to\nidentify if a risk assessment and management plan was completed. ASD(C3I)\ndefined risk as the possibility of something adverse happening; risk assessment\nas the process of analyzing threats and vulnerabilities of an information system,\nand the potential impact of lost information; and risk management as the process\nof assessing risk, taking steps to reduce risk to an acceptable level, and\nmaintaining that level of risk. DMDC responded in the matrix that a risk\nassessment and management plan was not completed. We verified that when\nDMDC submitted the matrix data as of August 1, 2001, they had not developed\nan NTS risk assessment and management plan. However, since that time,\nDMDC developed a draft NTS risk assessment and management plan. DMDC\nplanned to finalize the risk assessment and management plan by August 2002.\n\n        System Life-Cycle Plan. DMDC was requested to identify if a system\nlife-cycle plan existed. System life-cycle plan guidance that ASD(C3I) provided\nwith the matrix was that many models for the system life cycle exist but most\ncontain five basic phases: initiation, development and acquisition, implementation,\noperation, and disposal. DMDC responded in the matrix that NTS had a system\nlife-cycle plan. We confirmed that as of August 1, 2001, DMDC had a draft NTS\nlife-cycle plan. Because the plan was a draft document that would not be finalized\nuntil the NTS is accredited, DMDC should have answered \xe2\x80\x9cno.\xe2\x80\x9d During our\nreview, NTS was in the implementation phase of DITSCAP compliance and was\nundergoing continuing development and upgrades. According to the draft\nlife-cycle plan, short term (within 5 years) hardware upgrades were based upon\nwhether the commercial-off-the-shelf equipment such as computers, passport\nreaders, printers, and scanners met the system use criteria and were less expensive,\nsmaller, and more structurally sound and rugged. Application software was to be\nupdated annually, or as required, based on feedback from system users.\n\n        System Security Plan. DMDC was requested to identify if a system\nsecurity plan was in place. ASD(C3I) defined a system security plan as an\noverview of the security requirements of a system, a description of the controls\nin place or the controls planned for meeting those requirements, and delineation\nof responsibilities and expected behavior of the individuals who access the\nsystem. DMDC responded in the matrix that NTS had a system security plan.\n\n                                    7\n\x0cWe verified that DMDC had a draft system security plan for NTS as of\nAugust 1, 2001. DMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the plan was a\ndraft document that would not be finalized until NTS is accredited. The NTS\ndraft system security plan was titled, \xe2\x80\x9cNTS Security Standard Operating\nProcedures Plan.\xe2\x80\x9d The draft plan identified the security measures that must be\nenforced to operate the NTS so it can securely process sensitive unclassified\ninformation. In addition, the draft plan provided guidelines to assist personnel\nresponsible for NTS security in directing the safeguarding of sensitive\nunclassified information contained in NTS equipment from unauthorized access\nand use, alteration, destruction, and denial of service. The draft plan also\ndescribed the responsibilities of information system security personnel\nresponsible for NTS, defined the requirements to maintain compliance with the\naccreditation, including periodic security reviews, risk management, a\ncontinuity of operations plan, required actions in the event of compromise,\ninitial and periodic security training programs, and reaccreditation. Further, the\ndraft plan prescribed detailed procedures the NTS site managers, administrators,\nand users were required to carry out that will ensure secure operation of the\nNTS. The security guideline procedures applied to all NTS operating sites.\n\n        Personnel Security Measures. DMDC was requested to identify if\nproper personnel security measures were in place. ASD(C3I) defined personnel\nsecurity measures as a broad range of security issues related to how human\nusers, designers, implementers, and managers of software and hardware interact\nwith computers, and the access and authorities needed to do their jobs. DMDC\nresponded in the matrix that NTS had personnel security measures in place. We\nconfirmed that personnel security measures were in place for NTS. NTS\nregistrars\xe2\x80\x99 (operator and user) access and authority were limited to individuals\nrequired to perform and manage noncombatant evacuation operations. The\nnoncombatant evacuation operation system administrators and evacuation control\ncenters\xe2\x80\x99 officer in charge were responsible for authorizing operators and users.\nNTS users and operators had authorized access to only the information required\nto perform assigned tasks. The concept of \xe2\x80\x9cneed to know\xe2\x80\x9d was primarily\nimplemented in NTS systems through the use of password protection and\nphysical access procedures. The NTS program officer at DMDC was\nresponsible for controlling access to the NTS Web site.\n        Physical Security Controls. DMDC was requested to identify if\nphysical security controls were in place. ASD(C3I) defined physical security\nand environment security as the measures taken to protect systems, buildings,\nand related supporting infrastructures against threats associated with their\nphysical environment. DMDC responded in the matrix that NTS had physical\nsecurity controls in place. We verified that physical security controls were in\nplace at DMDC-West. Although the NTS plan for physical security includes\nphysical security procedures for operational units that use the system, as a\npractical matter we did not verify the controls of the operational units in Korea,\nJapan, and Europe. Physical security controls for NTS included: equipment\nmust be physically secure at all times, system components must be locked and\nsecured when not in use, and when in use, access to the systems was limited to\nauthorized users only. Additionally, the NTS was to be operated in facilities\nand areas that maintained physical security measures that comply with applicable\nFederal, Service-level, and local security policies.\n\n\n                                    8\n\x0c       Administrative Controls. DMDC was requested to identify if\nadministrative controls were in place. ASD(C3I) did not define administrative\ncontrols but suggested that administrative controls included the presence of a\nhelp desk and audit trail. Administrative controls are designed to promote\noperational efficiency and adherence to system policies and procedures.\nDMDC responded in the matrix that NTS had administrative controls in place.\nWe verified the DMDC response. According to the NTS draft SSAA, user\nadministrators (site designated approving authority, the site security officer, and\nComponent-level system administrator) were responsible for ensuring that\nFederal, DoD, and local computer security-related standards were enforced.\nEven though no specific NTS system level administrative requirements were\nrequired, DMDC did staff an NTS help desk during noncombatant evacuation\noperation exercises.\n\n        Contingency Plans. DMDC was requested to identify if contingency\nplans were in place, and if so, when the last time was that a contingency drill,\ndata loss, or power loss drill occurred. ASD(C3I) defined contingency planning\nas involving more than simply planning for a move offsite after a disaster\ndestroys a facility. Contingency planning was to also include how to keep an\norganization\xe2\x80\x99s critical functions operational in the event of disruptions, both large\nand small. DoD Directive 5200.28 requires periodic testing of contingency plans\nfor mission critical systems and encourages contingency plans for all systems.\nDMDC responded in the matrix that NTS had contingency plans in place, but left\nthe date the contingency plans were last exercised blank. We verified that NTS\nhad draft contingency plans, but that DMDC had not fully tested the draft plans.\nDMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the plans were draft documents that\nwould not be finalized until NTS is accredited. The NTS draft contingency plans\naddress three system-specific contingencies most likely to occur: power outages,\ncommunications failures (land line and satellite), and hardware and software\nfailures. Additionally, the draft plans include three site-specific contingencies:\nnatural disasters (for example, fire, flood, and earthquake), civil disorders, and\nbomb threats.\n\nOne draft plan includes a contingency for the primary server for the U.S. Forces\nKorea theater becoming inoperable. If that event were to occur, data would then\ngo to the backup server in the southern part of the Korean Peninsula. If the server\nalso becomes inoperable, a server at DMDC-West could be employed as the\nprimary NTS server. All the servers were to be protected by uninterruptible\npower supplies. Another of the contingencies addressed the loss of power in an\nevacuation control center and no local backup source available. If that were to\nhappen, the users processing noncombatants would revert to a manual process to\ncomplete noncombatant evacuation operations. As reported by DMDC, the draft\ncontingency plan had not been tested. However, DMDC had executed parts of the\ndraft plan, such as use of satellite communications and the use of the DMDC-West\nserver as the primary server. Manual processing to complete noncombatant\nevacuation operations and site-specific contingencies were not practiced.\n\n        Hardware and System Software Maintenance Plans. DMDC was\nrequested to identify if hardware and software maintenance plans were in place.\nASD(C3I) defined hardware and software maintenance plans as controls used for\nmonitoring the installation of, and update to, hardware and software to ensure\nthat the system functions as expected and that a historical record of changes are\n\n                                     9\n\x0cmaintained. DMDC responded in the matrix that NTS had hardware and system\nsoftware maintenance plans in place. We confirmed that NTS had a draft\nhardware and system software maintenance plan. DMDC should have\nresponded \xe2\x80\x9cno\xe2\x80\x9d because as of August 1, 2001, the plan was a draft document\nthat would not be finalized until NTS is accredited. The NTS draft maintenance\nplan required that hardware be maintained and tested prior to training exercises\nand noncombatant evacuation operations. Hardware testing was to be\nperformed quarterly. Commercial-off-the-shelf equipment warranties provided\nhardware maintenance for the system as required.\n\nThe draft maintenance plan called for NTS application software to be updated\nannually, or as required based on user feedback. DMDC collected feedback\nfrom the users and provided periodic software updates based on requested\nsystem characteristics or if flaws were discovered through usage.\n\n        Data Integrity Process. DMDC was requested to identify if data\nintegrity processes were in place. ASD(C3I) defined data integrity process as\ncontrols used to protect data from accidental or malicious alteration or\ndestruction and used to provide assurance for users that the information met\nexpectations about its quality and integrity. DMDC responded in the matrix that\nNTS had data integrity processes in place. We verified that NTS had a data\nintegrity process. NTS used a \xe2\x80\x9clayered protection\xe2\x80\x9d concept that included\nmultilevel password protection of NTS software that minimized unauthorized\naccess of the operating system and information, and encryption that guaranteed\nintegrity and confidentiality. The concept was facilitated in NTS through the\nuse of software controls and the physical, personnel, and procedural measures.\n\n        Security Incident Response Plan. DMDC was requested to identify if a\nsecurity incident response plan was in place. ASD(C3I) defined a security\nincident response plan as a formal description and evaluation of risks to an\ninformation system, and a process that identified and applied countermeasures\ncommensurate with the value of the assets protected based on a risk assessment.\nAn incident response plan should have help capability when an adverse event in\na computer system or network causes a failure of a security mechanism or when\nan attempted breach of those mechanisms occurs. DMDC responded in the\nmatrix that NTS did not have a security incident response plan in place. We\nconfirmed the response. As of August 1, 2001, DMDC had not developed a\nplan. However, since that time, a draft security incident response plan was\ndeveloped. The draft plan provided general guidelines for the systematic\nresponse to unauthorized system intrusions associated with NTS. Additionally,\nthe draft plan established rules and practices that facilitated an orderly and\ncontrolled evaluation and clean-up of any unauthorized intrusion associated with\nthe NTS application.\n\nOperations and Assessment Interest Items. DMDC was requested to identify\nspecific operational assessment mechanisms as well as provide general comments\nto augment reporting efforts on the basic program management, controls, and\nprocedures that existed as part of the operation of the system in the operations\nand assessment interest items section of the matrix. ASD(C3I) did not provide\ndefinitions for reporting elements contained in the section. Information contained\nin the operations and assessment interest items section of the matrix included\nnetwork protections, vulnerabilities, assessments, and system interfaces.\n\n                                   10\n\x0c      Network Protections. ASD(C3I) requested data from DMDC on the\nnetwork security functions of intrusion detection systems and firewalls.\n\n           \xe2\x80\xa2   Intrusion Detection System. DMDC was requested to identify if\n               an intrusion detection system protected the NTS was present. An\n               intrusion detection system inspects all inbound and outbound\n               network activity and identifies suspicious patterns that may\n               indicate a network or system attack from someone attempting to\n               break into or compromise a system.\n\n           \xe2\x80\xa2   Firewalls. DMDC was requested to identify if boundary\n               protections, such as firewalls, that protected the NTS were\n               present. A firewall is a boundary protection system that limits\n               access between networks to prevent intrusions from outside the\n               network. A firewall stops external intrusions, but does not detect\n               an attack from inside the network.\n\nDMDC responded in the matrix that NTS was protected by an intrusion\ndetection system and had boundary protection in place. We confirmed that NTS\nwas protected by intrusion detection and a firewall at the DMDC-West site.\nNTS was a stand-alone system and not connected to a network. As a result,\nNTS did not include an intrusion detection system or firewalls at operation\nunits. However, the DMDC-West intrusion detection system and firewalls\nprotected the NTS data on the DMDC-West server and NTS Web site.\n\n       Vulnerabilities. ASD(C3I) requested information from DMDC on the\nNTS compliance with the information assurance vulnerability alert process and\nvulnerability analysis and assessment program procedures.\n\n               Information Assurance Vulnerability Alert. DMDC was\nrequested to identify if NTS was fully information assurance vulnerability alert\ncompliant in both acknowledging and adhering to information assurance\nvulnerability alerts. An information assurance vulnerability alert is a process\nthat incorporates identification and evaluation of new vulnerabilities,\ndisseminates technical responses, and tracks compliance within DoD. Alerts are\ngenerated when a critical vulnerability that poses an immediate threat to DoD\nexists. DMDC did not provide a response in the matrix. We confirmed that the\nDMDC response was appropriate as of August 1, 2001, because DMDC did not\nhave an information assurance vulnerability alert plan. However, since that\ntime, DMDC began developing an information assurance vulnerability alert plan\nexpected to be finalized by August 2002.\n\n               Vulnerability Analysis and Assessment Program. DMDC was\nrequested to identify if NTS had a vulnerability analysis and assistance program\nassessment. According to the NTS draft SSAA, a vulnerability analysis and\nassessment program was a systematic examination of an information system that\ndetermined the adequacy of security measures, identified security deficiencies,\nprovided data from which to predict the effectiveness of proposed security\nmeasures, and confirmed the adequacy of measures after implementation.\nDMDC did not provide a response in the matrix. We confirmed that the\nDMDC response was correct as of August 1, 2001. However, since that time,\n\n\n                                   11\n\x0c    DMDC proceeded with development of a vulnerability analysis and assessment\n    program expected to be completed by August 2002.\n\n           Assessments. DMDC was requested to identify the dates for the most recent:\n\n               \xe2\x80\xa2   red and blue team assessment\n               \xe2\x80\xa2   Joint Staff integrated vulnerability assessment\n               \xe2\x80\xa2   system requirements reviews\n               \xe2\x80\xa2   balance survivability assessment\n               \xe2\x80\xa2   integrated vulnerability assessment\n\n    DMDC provided no response in the matrix. We confirmed that the DMDC\n    response was correct as of August 1, 2001, because the reporting elements in\n    the section were specific assessments and technical controls that not all systems\n    were required to perform, which included NTS.\n\n            System Interfaces. DMDC was requested to identify if NTS required a\n    connection approval to connect to a larger backbone network. System interfaces\n    are connections to other information systems for the purpose of transmitting or\n    receiving data. DMDC did not provide a response in the matrix. We confirmed\n    that the DMDC response was appropriate because NTS was a stand-alone\n    system that had no active interface with other systems.\n\nConclusion\n    From our analysis of the data reported in the matrix for the NTS, we concluded\n    that DMDC was following DITSCAP to certify and accredit NTS. Although\n    6 of 32 responses provided in the matrix were technically incorrect because the\n    documents were in draft form, we further concluded that DMDC was making\n    progress in achieving full information security accreditation for NTS by\n    August 2002.\n\n\n\n\n                                        12\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We verified and validated the NTS data supporting the DoD\n    GISR Act Report. To accomplish the audit objective, we:\n\n        \xe2\x80\xa2   reviewed Public Law 106-398, Office of Management and Budget\n            guidance, and the DoD regulations and guidance related to the GISR Act;\n\n        \xe2\x80\xa2   interviewed NTS personnel in DMDC who prepared the GISR Act\n            matrix submission;\n\n        \xe2\x80\xa2   verified the information reported on the GISR Act data collection matrix.\n            Our verification consisted of reviewing the documentation that supported\n            the answers DMDC provided on the GISR Act collection matrix as of\n            August 1, 2001; and\n\n        \xe2\x80\xa2   reviewed certification and accreditation documentation DMDC had\n            developed subsequent to August 1, 2001.\n\n    Limitations to Audit Scope. We limited the audit scope to verification and\n    validation of information in the NTS GISR Act collection matrix submission and\n    certification and accreditation progress made since; we did not perform an\n    operational review on NTS site certification and accreditation process. We did\n    not perform that review because NTS is an inactive system until an evacuation\n    operation or military exercise is performed in a military theater of operations.\n    As a practical matter, we did not visit operational sites in Korea, Japan, and\n    Europe to observe the physical security of deployed systems not in use.\n    Additionally, we did not review the management control program because DoD\n    recognized information assurance programs as a material weakness in its\n    FY 2000 Statement of Assurance, which was its most recent, signed Statement\n    of Assurance.\n\n    High-Risk Area. The General Accounting Office has identified several\n    high-risk areas in DoD. This report provides coverage of the Information\n    Security high-risk area.\n\nMethodology\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Audit Type, Dates, and Standards. This program audit was performed from\n    January through March 2002 in accordance with generally accepted government\n    auditing standards.\n\n\n\n                                        13\n\x0c    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\nPrior Coverage\n    No prior coverage has been conducted on NTS during the last 5 years.\n\n\n\n\n                                      14\n\x0cAppendix B. Government Information Security\n            Reform Act Collection Matrix\n            Submission\n            We evaluated the GISR Act collection matrix that DMDC submitted as of August 2001\n            to ASD(C3I). The following is a summary on the data ASD(C3I) requested, the\n            response from DMDC, and our audit analysis of the response for 26 of 32 fields on the\n            data collection matrix. We did not include in the matrix below administrative\n            information of the four fields that related to system identification and two of the fields\n            that were not applicable. A list of acronyms is at the end of this appendix.\n\n                                          Accreditation Information\n\n                                     DMDC\n         Data Requested            Response4, 5                             Audit Results\n\n      Accredited? (Date)          Blank              The DMDC goal was to accredit NTS by\n                                                     August 2002.\n\n      Interim Authority to        July 27, 2001      Interim authority to operate NTS was granted by the\n      Operate? (Date)                                Designated Approving Authority (Director, DMDC)\n                                                     and was good for 1 year.\n\n      Accreditation under         Yes                DMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the\n      DITSCAP?                                       NTS was not accredited as of August 1, 2001.\n\n                                                     DMDC was following DITSCAP to certify\n                                                     and accredit NTS, and planned for a full\n                                                     accreditation by August 2002.\n\n      Formal                      Yes                DMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the\n      Documentation in                               SSAA was a draft document as of August 1, 2001.\n      effect? (SSAA or\n      other certification                            DMDC documented the NTS certification and\n      and accreditation                              accreditation process with a draft SSAA.\n      documentation)\n                                                     The draft SSAA will be formalized when the system\n                                                     is accredited.\n\n\n\n\n4\n    Some questions request a date only. If a date was provided, it can be implied that the answer was yes.\n5\n    Some questions were answered as Yes, No, or DITSCAP; the answers indicate if the system or network was\n    accredited by DITSCAP, inherently, it would have these items in place\n\n                                                          15\n\x0c                          Assessment Criteria Information\n\n                       DMDC\n  Data Requested      Response                         Audit Results\nAccess controls in   Yes            The NTS used passwords and user accounts.\nplace?\n                                      \xe2\x88\x92 Users logged onto laptop computers using a\n                                         three-digit code\n                                      \xe2\x88\x92 Passwords were alphanumeric and included\n                                         special characters\n                                      \xe2\x88\x92 Web users were required to establish an\n                                         account and a password\n\n                                    The miniserver verified a laptop computer\xe2\x80\x99s\n                                    hardware identification code prior to allowing\n                                    access.\n\nRisk Assessment      No             DMDC had not completed the risk assessment and\nand Management                      management plan.\nPlan completed?\n                                    The NTS risk vulnerability assessment was in draft\n                                    and scheduled to be completed by August 2002.\n\nSystem Life-Cycle    Yes            DMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the\nPlan exists?                        SSAA was a draft document.\n\n                                    The draft SSAA included a basic system life-cycle\n                                    plan.\n\n                                    The life-cycle plan was to be revised as\n                                    commercial-off-the-shelf technology was upgraded\n                                    and new policies were instituted.\n\nSystem Security      Yes            DMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the\nPlan in place?                      SSAA was a draft document.\n\n                                    The draft SSAA included a security plan as an\n                                    appendix.\n                                      \xe2\x88\x92 Standardized procedures were provided to\n                                          users\n\n\n\n\n                                        16\n\x0c                      Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                          DMCD\n  Data Requested         Response                      Audit Results\n\nProper Personnel     Yes            NTS had separate levels of users, with varying\nSecurity measures in                levels of access and control.\nplace? (includes                       \xe2\x88\x92 System administrators\nassignment of duties\nand segregation of                     \xe2\x88\x92 Evacuation Control Center Officer in Charge\nduties)                                \xe2\x88\x92 Registrars (operator and user)\n\n                                    Passwords were required to be changed every\n                                    6 months.\n\nPhysical Security      Yes          NTS equipment was to be secured by the owner\nControls in place?                  when not in use.\n\n                                    When deployed, the systems were to be guarded by\n                                    user unit personnel\n                                      \xe2\x88\x92 Guards were to be posted at registration\n                                          center entrances\n                                      \xe2\x88\x92 Noncombatants were to be physically\n                                          searched before entering registration centers\n\nAdministrative         Yes          NTS draft SSAA required user unit administrators to\ncontrols in place?                  ensure that all Federal, DoD, and local computer\n(includes help desk                 security-related standards were being enforced.\nand audit trail)\n                                    Even though the draft SSAA required no specific\n                                    NTS system level administrative controls, DMDC\n                                    staffed a help desk during evacuation exercises.\n\nContingency Plans      Yes          DMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the\nin place?                           contingency plan was a draft document.\n\n                                    The draft contingency plan addressed three\n                                    contingencies most likely to occur: power outages,\n                                    communications failures, and hardware and software\n                                    failures.\n\n                                    DMDC-West was the backup site server for the\n                                    U.S. Forces Korea server.\n                                      \xe2\x88\x92 If Korea servers were down or destroyed, the\n                                          information on the miniserver was to be\n                                          pushed to a DMDC-West server\n\n\n\n                                        17\n\x0c                      Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                          DMDC\n  Data Requested         Response                       Audit Results\n\nDate Contingency      Blank         The draft contingency plan had not been fully\nPlans last exercised?               exercised but pieces of the draft plan, such as the\n                                    use of satellite communications, were.\n\nHardware and           Yes          DMDC should have responded \xe2\x80\x9cno\xe2\x80\x9d because the\nSystem Software                     maintenance plans were draft documents.\nMaintenance Plans\nin place? (includes                 According to the draft plans, maintenance was to be\nversion control                     verified and equipment tested prior to training\ntesting)                            exercises.\n                                      \xe2\x88\x92 Hardware and system maintenance testing\n                                           quarterly\n                                      \xe2\x88\x92 Hardware was replaced by use of warranties\n                                           (commercial off the shelf hardware)\n\n                                    Software was updated annually, or as required based\n                                    on user feedback.\n\nData integrity        Yes           NTS data integrity process was facilitated through\nprocess in place?                   the use of software controls, physical, personnel,\n(includes virus scans               and procedural measures\nSOP [standing\noperating                           NTS used a layered protection concept\nprocedure], system                   \xe2\x88\x92 Multilevel password protection of system\nperformance                              software and data\nmonitoring)\n                                     \xe2\x88\x92 Encryption of data transitions\n\nSecurity Incident      No           Security Incident Response Plan was added to the\nResponse Plan in                    draft SSAA since the GISR Act data collection\nplace?                              matrix submitted.\n                                      \xe2\x88\x92 An incident reports database, kept at DMDC,\n                                           was also added\n\n\n\n\n                                        18\n\x0c                   Operations and Assessments Interest Items\n\n                         DMDC\n  Data Requested        Response                     Audit Results\n\nProtected by IDS       Yes         Because NTS was a stand-alone system, IDS was\n[Intrusion Detection               not necessary or used at field-level activities, but\nSoftware]?                         IDS protected the NTS information sent to DMDC\n                                   Web site.\n\n                                   Nothing in place to detect hackers.\n                                     \xe2\x88\x92 Users could make unlimited login attempts\n                                         to the laptop computers and Web site.\n                                     \xe2\x88\x92 No database to hack until a noncombatant\n                                         evacuation operation was in progress.\n\nBoundary protection    Yes         The DMDC server was behind a firewall, but NTS\nin place? (For                     application was outside a firewall.\nexample, firewall)\n\nRed and Blue Team      Blank       No red and blue team assessments were\nAssessment? (Date)                 performed.\n\nConnection             Blank       NTS was a stand-alone system and had no\nApproved?                          interface with other systems.\n\n                                   The DMDC server could only extract data from\n                                   NTS when DMDC dialed in\n                                     \xe2\x88\x92 Data were pulled only when an exercise or\n                                        an evacuation was in progress.\n\nIAVA [Information Blank            At the time matrix data was submitted, DMDC did\nAssurance                          not know what the IAVA process was.\nVulnerability Alerts]\nCompliant?                         Since the data were submitted, DMDC had\n                                   partially developed an NTS IAVA plan expected\n                                   to be completed by August 2002.\n\nVAAP                   Blank       The VAAP was partially completed and expected\n[Vulnerability                     to be completed by August 2002.\nAnalysis and\nAssessment\nProgram]\nComplete? (Date)\n\n\n\n\n                                       19\n\x0c            Operations and Assessments Interest Items (cont\xe2\x80\x99d)\n\n                      DMDC\n Data Requested      Response                    Audit Results\n\nJoint Staff         Blank       DMDC personnel indicated that they did not\nIntegrated                      obtain any information on the subject.\nVulnerability\nAssessments\nComplete? (Date)\n\nSystem              Blank       According to DMDC, the reviews were not\nRequirements                    applicable because NTS was a Component-level\nReviews Complete?               system.\n(Date)                             \xe2\x88\x92 NTS had only a functional requirements\n                                      document\n\nBalance             Blank       DMDC did not obtain any information on this\nSurvivability                   subject.\nAssessment\nComplete? (Date)\n\nIntegrated          Blank       NTS is a stand-alone system and had not\nVulnerability                   integrated with any other systems.\nAssessment\nComplete? (Date)\n\n\n\n\n                                   20\n\x0cApplicable Acronyms\n\nASD(C3I)          Assistant Secretary of Defense (Command, Control,\n                     Communications, and Intelligence)\nDITSCAP           Defense Information Technology Security Certification and\n                     Accreditation Process\nDMDC              Defense Manpower Data Center\nGISRA             Government Information Security Reform Act\nIAVA              Information Assurance Vulnerability Alerts\nIDS               Intrusion Detection Software\nNTS               Noncombatant Evacuation Operations Tracking System\nSOP               Standing Operating Procedure\nSSAA              System Security Authorization Agreement\nVAAP              Vulnerability Analysis and Assessment Program\n\n\n\n\n                                          21\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Director, Defense-Wide Information Assurance Program\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nInspector General, Defense Intelligence Agency\nDirector, Defense Logistics Agency\nDirector, Defense Finance and Accounting Service\n   Chief Information Officer\nDirector, DoD Human Resources Activity\n   Director, Defense Manpower Data Center\nInspector General, Defense Information Systems Agency\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\nGeneral Accounting Office\n\n\n\n\n                                          22\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         23\n\x0cAudit Team Members\nThe Readiness and Logistics Support Directorate, Office of the Assistant Inspector\nGeneral for Auditing of the Department of Defense prepared this report. Personnel of\nthe Office of the Inspector General of the Department of Defense who contributed to\nthe report are listed below.\n\nShelton R. Young\nKimberley A. Caprio\nTilghman A. Schraden\nKathryn L. Palmer\nWalter S. Bohinski\nStuart W. Josephs\nJason T. Steinhart\nSusan R. Ryan\nDaniel L. Messner\nSharon L. Carvalho\n\x0c'